Configuring IPv6 Access Control Lists

IPv6 is extremely cool in all but it is not the holy grail of security and you must still use access-list to ensure infrastructure security. This lab will discuss and demonstrate the configuration and verification of IPv6 access control lists.

Real World Application & Core Knowledge

So if you’ve completed the previous 5 labs then you should have a knowledgeable understanding of IPv6 and IPv6 routing infrastructures. However one thing left to discuss remains of the utter most importance in any network; Security.

In the real world, the ability to prevent machines such as Student PC’s in a lab at a university from communicating to Enrollment Servers or Servers that host the database of the students grades is very important. There are some young students that have a knowledgeable understanding of SQL injection methods that could easily change their grades or even their finances. Of course the same could be applied to many companies such as a Hospital for example, you don’t want visitor PC’s to have the ability to access Servers that host protected health information about patients which could include identification information such as name, address, social security number and health information which should remain private. Regardless of the scenario there is ALWAYS a need for security in a network.

The first line of defense is Access Control List (ACL). When working with Access List keep in mind they are processed top down. So for example lets say you there is a teacher PC in a classroom that needs to access a server farm however other student PC’s are on the same network and they need to be denied access to the server farm. How can you achieve this desired policy?

Well on the first line of an ACL you can permit the teach PC that has the source address 2001:ABAD:BEEF:1001::5/64 access to nodes located in the the server farm located in the 2001::ABAD:BEEF:FADE::0/64 network however on the second line you can deny the network that the teacher PC and student PC’s are on which is 2001:ABAD:BEEF:1001::0/64 from accessing the server farm located at 2001:ABAD:BEEF:FADE::0/64. Since the ACL is processed top down this would permit the teacher PC to access the server farm network and deny student PC’s on the same source network from accessing servers located in the server farm because the teacher PC was processed first and permitted.

Configuring an IPv6 ACL is much like configuring an IPv4 ACL however you do not have numbered, standard or extended access-list. You have single type of IPv6 access list that can function like a standard or extended access-list. For example with a standard IPv4 ACL you can specified permit 10.0.0.0 any and an extended ACL can permit traffic from10.0.0.25 255.255.255.255 to access 10.20.5.81 255.255.255.25 equal to port 80.

With IPv6 ACL’s you have the same ability. You can use a standard broad statement that encompass all source traffic to any destination or you can get granular with the ACL statements and permit specific host to specific destinations based on source and destination port numbers.

To configure an IPv6 access list you’ll use the ipv6 access-list NAME command in global configuration. From there you’ll be placed into IPv6 access-list configuration mode where you have the ability to specify the ACL statements. an example is given below;

As with any ACL you have the ability to assign the ACL to a particular interface in a particular direction, ingress or egress. (incoming or outgoing). Assigning an IPv6 access list to an interface is different then its processor. When assigning an IPv4 access list to an interface you used the ip access-list ACL_NAME in|out command in interface configuration mode. To assign an IPv6 ACL to an interface you’ll use the ipv6 traffic-filter ACL_NAME in|out command in interface configuration mode.

You can view current ACL statistics by using the show ipv6 access-list command in user or privileged mode.

Familiarize yourself with the following new command(s);

Command

Description

ipv6 access-list NAME

This command when executed in interface configuration mode enables OSPFv3 per specified process id and area id.

sequence seq#

This command is executed in IPv6 access-list configuration mode to insert a new sequence number in the list. You can delete or add ACL lines in specific spots of the ACL using sequence numbers.

ipv6 traffic-filter ACL_NAME in|out

This command when executed in interface configuration mode will apply an Access Control List on an interface in an ingress or egress direction of the interface.

show ipv6 access-list

This command can be executed in user or privileged mode to view current Access Control List entries and statistics.

In this lab you will configure an Access-list on R2 to prevent traffic sourced from R1’s loopback interface destined to R3’s loopback0 interface be denied on port 80 and permit all other traffic.

The following logical topology will be used for this lab;

Lab Prerequisites

If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start device(s); R1, R2 and R3

Establish a console session with device(s) R1, R2 and R3 than load the initial configurations provided below by copying the config from the textbox and pasting it into the respected routers console.

Lab Objectives

Verify that you’re able to ping R3’s loopback0 interface from R1’s Loopback0 interface.

As shown above you can see that traffic from R1’s loopback0 destined to R3’s loopback0 interface via port 80 is now being dropped at R2. You can further verify this by viewing the Access List Statistics on R2 as shown below;